What is Schrems II?

The Schrems II decision came out nearly 2 years ago, on 16 July 2020. Given the enormous data flows from the EEA and UK to the USA, and many unanswered questions after the decision, most organisations chose to wait to see what assistance European regulators came out with, and whether a successor to the Privacy Shield would be rushed out.

March 2022, they’re still waiting.

Is the relative peace about to be shattered?

What is Schrems II?

Schrems II is the short name given to the 2020 decision by Europe’s top court (the CJEU), that invalidated Privacy Shield, the adequacy decision that we all relied on to legitimately transfer personal data from the EEA (effectively including the UK at the time) to the USA.

It was the sequel to 2015’s blockbuster case Schrems I, which in our innocence we used to just call Schrems.

We’ve a great Privacy Kitchen video from just after the Schrems II decision that sets out the decision and impact (Privacy Kitchen is hosted in YouTube and watching the video is subject to the use of Google’s Privacy Policy and Cookie Policy):

Wait, there’s a Schrems I?

Absolutely, and both Schrems I and Schrems II come from the same fundamental issue: transfer of personal data from the EEA to the US by Facebook.

• In 2013, Austrian Privacy lawyer and activist Max Schrems filed a complaint with the Irish Data Protection Commissioner (DPC) under the 1995 EU Data Protection Directive. (GDPR only passed into law in 2016 and applied from 2018.)
• It was against the export of his personal data by Facebook Ireland to Facebook USA using Safe Harbor – the ‘adequacy decision’ under the 95 DPD in favour of the USA, or rather the Safe Harbor self-certification structure in the USA that was the subject of the adequacy decision.
• Because Facebook Ireland is Facebook’s main establishment in Europe for the purposes of data protection law, the DPC was the regulator in charge of hearing the complaint.
• After the initial regulatory process before the DPC, matters progressed to the Irish courts, which decided to refer questions to the CJEU on the interpretation of EU law and the adequacy of Safe Harbor.

Hey presto, on 6 October 2015, the CJEU held the Safe Harbor invalid due to US surveillance law.

What happened after Schrems I?

There were some similarities with Schrems II:

• Safe Harbor was immediately invalid, and
• under Schrems I, transfer tools such as Standard Contractual Clauses (SCCs) remained valid as a mechanism.

But there were three major differences:

• there wasn’t the knock-down blow against SCCs of ‘supplemental measures’ after the data exporter had carefully reviewed the laws (in particular the surveillance laws) of the recipient country – no TIAs or Transfer Impact Assessments,
• Regulators provided ‘a transitional period for firms to adjust. The Art. 29 WP gave three months’ leeway, stating that coordinated enforcement actions would be taken by the end of January 2016 if no appropriate solution is found with the US authorities.’
• The Privacy Shield came in slightly after that target, with a decision on 12 July 2016 taking effect on 1 August 2016. That’s 10 months after the Schrems I decision. Many had implemented SCCs immediately after the decision, but those that hadn’t had not waited in vain.

So why was there a Schrems II?

After Safe Harbor fell, Facebook said it relied on SCCs for transfers to the USA, so Max Schrems changed his complaint and the whole process started again:

• regulatory process at the DPC,
• Irish court action, referral to the CJEU and,
• in 2020, the Schrems II decision.

Safe Harbor & Privacy Shield

Just for completeness, under EU Data Protection law (the 95 DPD and then GDPR) no personal data can be sent outside or accessed outside the EEA (a ‘transfer’) unless:

• the European Commission decides that the third country (or a mechanism like Safe Harbor or Privacy Shield)  ensures an essentially equivalent level of protection (‘adequacy decision’), or
• you can validly use a ‘strategic solution’ transfer tool such as SCCs, or
• you can use a ‘tactical solution’ such as explicit consent or an exemption.

Safe Harbor and Privacy Shield were structures run by the US Dept of Commerce that US entities could sign up to, voluntarily accepting to abide by key EU Data Protection principles and accepting certain jurisdiction of EEA DPAs.

Privacy Shield is still live, although invalid under GDPR, with many entities still signed up in the hope that its successor will come soon and everyone can just transition.

Privacy Harbor III?

It’s March 2022, 19 months after Schrems II. There’s still no replacement to Privacy Shield.

There’s a fair bit of reporting that we may be close. It remains to be seen how any suggested solution will pass through the required process – and whether we’ll see it challenged, perhaps even a Schrems III…

The impact is happening now

It takes time for enforcement proceedings to work through the system, but it didn’t take a month for Max Schrems’s NOYB (None of Your Business) organisation to file 101 complaints with European DPAs about the use of Google and Facebook by websites in Europe.

The first complaints were filed in early August 2020, and January 2022 saw the first national Data Protection Authority (DPA) decision, from the Austrian DSB. We’ve a great summary of the 3 decisions on the use of Google Analytics, as set out in those cases, being contrary to GDPR.

What it means for you

We’re 19 months after Schrems II, when the gap was only 10 months after Schrems I. The EDPB issued some Recommendations which didn’t offer much respite in practice. The risk-based approach many have high hopes for was given short shrift in the 3 GD decisions. And those first decisions aren’t really about GA, they’re about any transfer to a cloud provider in the US – indeed any US entity covered by FISA 702 and similar laws.

We decided we couldn’t wait for our vendors to move towards compliance – Schrems II compliance – so we put in place various projects to ‘Schremsify’ our tech stack. Our Schrems-compliant new datacenter is the most visible part of that, but for example, we’ve found a Schrems-compliant marketing automation solution and calendar meeting solution.

So what to do, in practice?

• identify your transfers, start with identifying your processors and their sub-processors,
• identify any transfers that aren’t to adequacy decision territories,
• decide if SCCs are sufficient on their own to negate access by the third country, in particular under surveillance laws,
• if not, are there any supplemental measures that will negate the access,
• if so implement and document them,
• if not, you may well not be able to make the transfer.

Or – choose a provider that is Schrems-compliant.

How Keepabl can help

Do you know all your processors, or all your transfers? Keepabl’s Privacy Management Software is your out of the box Privacy Framework that leads you through the process, identifying all the loose ends, pulling it all together in instant reports and visuals.

Did you see our users believe we save between 50 and 70% of your ongoing compliance?

Contact us for your demo!